Re: [Freeipa-users] username case sensitivity
> On Wed, Jul 01, 2015 at 10:12:54AM +0200, Jakub Hrozek wrote: > > On Tue, Jun 30, 2015 at 08:16:05PM +, Andy Thompson wrote: > > > > > > > > > > On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik > wrote: > > > > > >On (15/05/15 17:27), Andy Thompson wrote: > > > > > >>Is there a way to enforce case sensitivity for trusted AD > users? > > > > > >>I am > > > > > >trying to use username for ssh chroots and I can > > > > > >authenticated with any case combination of but > > > > > >if ssh is set to match on then the chroot is not > > > > > >enforced and the user is dropped to their usual home > > > > > >directory. I found a case_sensitive option for sssd but it > > > > > does not > > > > > >seem to have any affect. Running RHEL6.6 clients. > > > > > >IPA domain is by default case sensitive. > > > > > >So You will not change anything if you put "case_sensitive = > true" > > > > > >into domain section of sssd.conf. > > > > > > > > > > > >But SSSD will create subdomains for each AD domain. It is > > > > > >different id_provider therefore different default values > > > > > >are used for subdomains and for AD provider it is case > > > > > >*insensitive* by > > > > default. > > > > > > > > > > > >Currently there's no way how to change it for subdomains > > > > > >(AD trusted > > > > > >domains) > > > > > > > > > > > What are you using for the SSH matching? The way the case > > > > > insensitiveness is implemented in SSSD is that all usernames > > > > > are forcibly lowercased on output, so as long as SSH uses > > > > > the standard NSS calls, you should be good with using the > lowecase usernames.. > > > > > > > > > > >>>They were initially all in lower case and working when I > > > > > >>>tested and finalized > > > > > >>the setup. I passed the credentials off and they used mixed > > > > > >>case and the match stopped working. > > > > > >> > > > > > >>What is "they" ? I guess not SSSD but grabbing the data > > > > > >>directly from > > > > LDAP? > > > > > >The match clauses in the sshd config were set to use lower case > > > > > >names. It > > > > is using sssd, just a regular ipa client installation. If I > > > > logged in using USERName insetad of username, the match clause did > not work. > > > > > > > > > > > >-andy > > > > > > > > > > > Do we have any follow up on this thread? Have we closed the loop > > > > > and filed a ticket. > > > > > I had couple complains of the similar matter during Red Hat Summit. > > > > > I seems that this is one of the emerging issues for the trust > environments. > > > > > > > > I wonder if it's still an issue with 1.12.x and the Kerberos plugin > > > > Sumit > wrote. > > > > Do we have a way to track these requests? > > > > > > > > Andy, if you have some test machines, could you give 6.7 a try? > > > > > > > > > > The usernames from AD are still not case sensitive on 6.7 so a > > > > > > Match User Testuser > > > > > > Stanza in the ssh config is not matched if they login as > > > > > > testuser > > > > > > but does match if they login with > > > > > > Testuser > > > > Thanks for the reply. Then I guess sshd doesn't canonicalize the > > username with getpwnam(). But I admit I don't know exactly what sshd > > does, so I hope other developers would chime in here.. > > iirc sshd does call getpwnam() with the name given at the login prompt to > determine if the user exists at all and its home-directory, shell, UID and GID > which is needed later on. But it does not expect that the name gets > canonicalized and continues to use the name given at the login prompt. > > I wonder if it would be possible to use group names in the Match clause in > your setup? Since sshd must call getgroups() and getgrgid() to get this > information here the lower-case group name returned by SSSD should work. > Yes since the groups are retrievable with the new sssd without requiring the user to login any longer, that will work in my use case now. The only reason I ran into the case issue what that I can't use groups on 1.11.x since groups aren't available until a first login. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] username case sensitivity
On Wed, Jul 01, 2015 at 10:12:54AM +0200, Jakub Hrozek wrote: > On Tue, Jun 30, 2015 at 08:16:05PM +, Andy Thompson wrote: > > > > > > > > On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > > > > >On (15/05/15 17:27), Andy Thompson wrote: > > > > >>Is there a way to enforce case sensitivity for trusted AD users? > > > > >>I am > > > > >trying to use username for ssh chroots and I can authenticated > > > > >with any case combination of but if ssh is set to > > > > >match on then the chroot is not enforced and the user > > > > >is dropped to their usual home directory. I found a > > > > >case_sensitive option for sssd but it > > > > does not > > > > >seem to have any affect. Running RHEL6.6 clients. > > > > >IPA domain is by default case sensitive. > > > > >So You will not change anything if you put "case_sensitive = true" > > > > >into domain section of sssd.conf. > > > > > > > > > >But SSSD will create subdomains for each AD domain. It is > > > > >different id_provider therefore different default values are used > > > > >for subdomains and for AD provider it is case *insensitive* by > > > default. > > > > > > > > > >Currently there's no way how to change it for subdomains (AD > > > > >trusted > > > > >domains) > > > > > > > > > What are you using for the SSH matching? The way the case > > > > insensitiveness is implemented in SSSD is that all usernames are > > > > forcibly lowercased on output, so as long as SSH uses the standard > > > > NSS calls, you should be good with using the lowecase usernames.. > > > > > > > > >>>They were initially all in lower case and working when I tested > > > > >>>and finalized > > > > >>the setup. I passed the credentials off and they used mixed case > > > > >>and the match stopped working. > > > > >> > > > > >>What is "they" ? I guess not SSSD but grabbing the data directly from > > > LDAP? > > > > >The match clauses in the sshd config were set to use lower case names. > > > > > It > > > is using sssd, just a regular ipa client installation. If I logged in > > > using > > > USERName insetad of username, the match clause did not work. > > > > > > > > > >-andy > > > > > > > > > Do we have any follow up on this thread? Have we closed the loop and > > > > filed a ticket. > > > > I had couple complains of the similar matter during Red Hat Summit. > > > > I seems that this is one of the emerging issues for the trust > > > > environments. > > > > > > I wonder if it's still an issue with 1.12.x and the Kerberos plugin Sumit > > > wrote. > > > Do we have a way to track these requests? > > > > > > Andy, if you have some test machines, could you give 6.7 a try? > > > > > > > The usernames from AD are still not case sensitive on 6.7 so a > > > > Match User Testuser > > > > Stanza in the ssh config is not matched if they login as > > > > testuser > > > > but does match if they login with > > > > Testuser > > Thanks for the reply. Then I guess sshd doesn't canonicalize the > username with getpwnam(). But I admit I don't know exactly what sshd > does, so I hope other developers would chime in here.. iirc sshd does call getpwnam() with the name given at the login prompt to determine if the user exists at all and its home-directory, shell, UID and GID which is needed later on. But it does not expect that the name gets canonicalized and continues to use the name given at the login prompt. I wonder if it would be possible to use group names in the Match clause in your setup? Since sshd must call getgroups() and getgrgid() to get this information here the lower-case group name returned by SSSD should work. bye, Sumit > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] username case sensitivity
On Tue, Jun 30, 2015 at 08:16:05PM +, Andy Thompson wrote: > > > > > > On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > > > >On (15/05/15 17:27), Andy Thompson wrote: > > > >>Is there a way to enforce case sensitivity for trusted AD users? > > > >>I am > > > >trying to use username for ssh chroots and I can authenticated > > > >with any case combination of but if ssh is set to > > > >match on then the chroot is not enforced and the user > > > >is dropped to their usual home directory. I found a > > > >case_sensitive option for sssd but it > > > does not > > > >seem to have any affect. Running RHEL6.6 clients. > > > >IPA domain is by default case sensitive. > > > >So You will not change anything if you put "case_sensitive = true" > > > >into domain section of sssd.conf. > > > > > > > >But SSSD will create subdomains for each AD domain. It is > > > >different id_provider therefore different default values are used > > > >for subdomains and for AD provider it is case *insensitive* by > > default. > > > > > > > >Currently there's no way how to change it for subdomains (AD > > > >trusted > > > >domains) > > > > > > > What are you using for the SSH matching? The way the case > > > insensitiveness is implemented in SSSD is that all usernames are > > > forcibly lowercased on output, so as long as SSH uses the standard > > > NSS calls, you should be good with using the lowecase usernames.. > > > > > > >>>They were initially all in lower case and working when I tested > > > >>>and finalized > > > >>the setup. I passed the credentials off and they used mixed case > > > >>and the match stopped working. > > > >> > > > >>What is "they" ? I guess not SSSD but grabbing the data directly from > > LDAP? > > > >The match clauses in the sshd config were set to use lower case names. > > > >It > > is using sssd, just a regular ipa client installation. If I logged in using > > USERName insetad of username, the match clause did not work. > > > > > > > >-andy > > > > > > > Do we have any follow up on this thread? Have we closed the loop and > > > filed a ticket. > > > I had couple complains of the similar matter during Red Hat Summit. > > > I seems that this is one of the emerging issues for the trust > > > environments. > > > > I wonder if it's still an issue with 1.12.x and the Kerberos plugin Sumit > > wrote. > > Do we have a way to track these requests? > > > > Andy, if you have some test machines, could you give 6.7 a try? > > > > The usernames from AD are still not case sensitive on 6.7 so a > > Match User Testuser > > Stanza in the ssh config is not matched if they login as > > testuser > > but does match if they login with > > Testuser Thanks for the reply. Then I guess sshd doesn't canonicalize the username with getpwnam(). But I admit I don't know exactly what sshd does, so I hope other developers would chime in here.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] username case sensitivity
On Fri, Jun 26, 2015 at 09:12:53PM -0400, Dmitri Pal wrote: > On 05/18/2015 06:16 AM, Andy Thompson wrote: > >>-Original Message- > >>From: Jakub Hrozek [mailto:jhro...@redhat.com] > >>Sent: Monday, May 18, 2015 4:07 AM > >>To: Andy Thompson > >>Cc: freeipa-users@redhat.com > >>Subject: Re: [Freeipa-users] username case sensitivity > >> > >>On Sun, May 17, 2015 at 10:26:45PM +, Andy Thompson wrote: > >>>>-Original Message- > >>>>From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > >>>>boun...@redhat.com] On Behalf Of Jakub Hrozek > >>>>Sent: Sunday, May 17, 2015 5:23 PM > >>>>To: freeipa-users@redhat.com > >>>>Subject: Re: [Freeipa-users] username case sensitivity > >>>> > >>>>On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > >>>>>On (15/05/15 17:27), Andy Thompson wrote: > >>>>>>Is there a way to enforce case sensitivity for trusted AD users? > >>>>>>I am > >>>>>trying to use username for ssh chroots and I can authenticated > >>>>>with any case combination of but if ssh is set to match > >>>>>on then the chroot is not enforced and the user is > >>>>>dropped to their usual home directory. I found a case_sensitive > >>>>>option for sssd but it > >>>>does not > >>>>>seem to have any affect. Running RHEL6.6 clients. > >>>>>IPA domain is by default case sensitive. > >>>>>So You will not change anything if you put "case_sensitive = true" > >>>>>into domain section of sssd.conf. > >>>>> > >>>>>But SSSD will create subdomains for each AD domain. It is > >>>>>different id_provider therefore different default values are used > >>>>>for subdomains and for AD provider it is case *insensitive* by default. > >>>>> > >>>>>Currently there's no way how to change it for subdomains (AD > >>>>>trusted > >>>>>domains) > >>>>> > >>>>What are you using for the SSH matching? The way the case > >>>>insensitiveness is implemented in SSSD is that all usernames are > >>>>forcibly lowercased on output, so as long as SSH uses the standard > >>>>NSS calls, you should be good with using the lowecase usernames.. > >>>> > >>>They were initially all in lower case and working when I tested and > >>>finalized > >>the setup. I passed the credentials off and they used mixed case and the > >>match stopped working. > >> > >>What is "they" ? I guess not SSSD but grabbing the data directly from LDAP? > >The match clauses in the sshd config were set to use lower case names. It > >is using sssd, just a regular ipa client installation. If I logged in using > >USERName insetad of username, the match clause did not work. > > > >-andy > > > Do we have any follow up on this thread? Have we closed the loop and filed a > ticket. > I had couple complains of the similar matter during Red Hat Summit. > I seems that this is one of the emerging issues for the trust environments. I wonder if it's still an issue with 1.12.x and the Kerberos plugin Sumit wrote. Do we have a way to track these requests? Andy, if you have some test machines, could you give 6.7 a try? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] username case sensitivity
On 05/18/2015 06:16 AM, Andy Thompson wrote: -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Monday, May 18, 2015 4:07 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] username case sensitivity On Sun, May 17, 2015 at 10:26:45PM +, Andy Thompson wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Sunday, May 17, 2015 5:23 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] username case sensitivity On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: On (15/05/15 17:27), Andy Thompson wrote: Is there a way to enforce case sensitivity for trusted AD users? I am trying to use username for ssh chroots and I can authenticated with any case combination of but if ssh is set to match on then the chroot is not enforced and the user is dropped to their usual home directory. I found a case_sensitive option for sssd but it does not seem to have any affect. Running RHEL6.6 clients. IPA domain is by default case sensitive. So You will not change anything if you put "case_sensitive = true" into domain section of sssd.conf. But SSSD will create subdomains for each AD domain. It is different id_provider therefore different default values are used for subdomains and for AD provider it is case *insensitive* by default. Currently there's no way how to change it for subdomains (AD trusted domains) What are you using for the SSH matching? The way the case insensitiveness is implemented in SSSD is that all usernames are forcibly lowercased on output, so as long as SSH uses the standard NSS calls, you should be good with using the lowecase usernames.. They were initially all in lower case and working when I tested and finalized the setup. I passed the credentials off and they used mixed case and the match stopped working. What is "they" ? I guess not SSSD but grabbing the data directly from LDAP? The match clauses in the sshd config were set to use lower case names. It is using sssd, just a regular ipa client installation. If I logged in using USERName insetad of username, the match clause did not work. -andy Do we have any follow up on this thread? Have we closed the loop and filed a ticket. I had couple complains of the similar matter during Red Hat Summit. I seems that this is one of the emerging issues for the trust environments. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] username case sensitivity
> -Original Message- > From: Jakub Hrozek [mailto:jhro...@redhat.com] > Sent: Monday, May 18, 2015 4:07 AM > To: Andy Thompson > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] username case sensitivity > > On Sun, May 17, 2015 at 10:26:45PM +, Andy Thompson wrote: > > > -Original Message- > > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > > boun...@redhat.com] On Behalf Of Jakub Hrozek > > > Sent: Sunday, May 17, 2015 5:23 PM > > > To: freeipa-users@redhat.com > > > Subject: Re: [Freeipa-users] username case sensitivity > > > > > > On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > > > > On (15/05/15 17:27), Andy Thompson wrote: > > > > >Is there a way to enforce case sensitivity for trusted AD users? > > > > >I am > > > > trying to use username for ssh chroots and I can authenticated > > > > with any case combination of but if ssh is set to match > > > > on then the chroot is not enforced and the user is > > > > dropped to their usual home directory. I found a case_sensitive > > > > option for sssd but it > > > does not > > > > seem to have any affect. Running RHEL6.6 clients. > > > > > > > > > > > > > IPA domain is by default case sensitive. > > > > So You will not change anything if you put "case_sensitive = true" > > > > into domain section of sssd.conf. > > > > > > > > But SSSD will create subdomains for each AD domain. It is > > > > different id_provider therefore different default values are used > > > > for subdomains and for AD provider it is case *insensitive* by default. > > > > > > > > Currently there's no way how to change it for subdomains (AD > > > > trusted > > > > domains) > > > > > > > > > > What are you using for the SSH matching? The way the case > > > insensitiveness is implemented in SSSD is that all usernames are > > > forcibly lowercased on output, so as long as SSH uses the standard > > > NSS calls, you should be good with using the lowecase usernames.. > > > > > > > They were initially all in lower case and working when I tested and > > finalized > the setup. I passed the credentials off and they used mixed case and the > match stopped working. > > What is "they" ? I guess not SSSD but grabbing the data directly from LDAP? The match clauses in the sshd config were set to use lower case names. It is using sssd, just a regular ipa client installation. If I logged in using USERName insetad of username, the match clause did not work. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] username case sensitivity
On Sun, May 17, 2015 at 10:26:45PM +, Andy Thompson wrote: > > -Original Message- > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > boun...@redhat.com] On Behalf Of Jakub Hrozek > > Sent: Sunday, May 17, 2015 5:23 PM > > To: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] username case sensitivity > > > > On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > > > On (15/05/15 17:27), Andy Thompson wrote: > > > >Is there a way to enforce case sensitivity for trusted AD users? I > > > >am > > > trying to use username for ssh chroots and I can authenticated with > > > any case combination of but if ssh is set to match on > > > then the chroot is not enforced and the user is dropped to > > > their usual home directory. I found a case_sensitive option for sssd but > > > it > > does not > > > seem to have any affect. Running RHEL6.6 clients. > > > > > > > > > > IPA domain is by default case sensitive. > > > So You will not change anything if you put "case_sensitive = true" > > > into domain section of sssd.conf. > > > > > > But SSSD will create subdomains for each AD domain. It is different > > > id_provider therefore different default values are used for subdomains > > > and for AD provider it is case *insensitive* by default. > > > > > > Currently there's no way how to change it for subdomains (AD trusted > > > domains) > > > > > > > What are you using for the SSH matching? The way the case insensitiveness is > > implemented in SSSD is that all usernames are forcibly lowercased on output, > > so as long as SSH uses the standard NSS calls, you should be good with using > > the lowecase usernames.. > > > > They were initially all in lower case and working when I tested and > finalized the setup. I passed the credentials off and they used mixed case > and the match stopped working. What is "they" ? I guess not SSSD but grabbing the data directly from LDAP? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] username case sensitivity
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Sunday, May 17, 2015 5:23 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] username case sensitivity > > On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > > On (15/05/15 17:27), Andy Thompson wrote: > > >Is there a way to enforce case sensitivity for trusted AD users? I > > >am > > trying to use username for ssh chroots and I can authenticated with > > any case combination of but if ssh is set to match on > > then the chroot is not enforced and the user is dropped to > > their usual home directory. I found a case_sensitive option for sssd but it > does not > > seem to have any affect. Running RHEL6.6 clients. > > > > > > > IPA domain is by default case sensitive. > > So You will not change anything if you put "case_sensitive = true" > > into domain section of sssd.conf. > > > > But SSSD will create subdomains for each AD domain. It is different > > id_provider therefore different default values are used for subdomains > > and for AD provider it is case *insensitive* by default. > > > > Currently there's no way how to change it for subdomains (AD trusted > > domains) > > > > What are you using for the SSH matching? The way the case insensitiveness is > implemented in SSSD is that all usernames are forcibly lowercased on output, > so as long as SSH uses the standard NSS calls, you should be good with using > the lowecase usernames.. > They were initially all in lower case and working when I tested and finalized the setup. I passed the credentials off and they used mixed case and the match stopped working. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] username case sensitivity
On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > On (15/05/15 17:27), Andy Thompson wrote: > >Is there a way to enforce case sensitivity for trusted AD users? I am > trying to use username for ssh chroots and I can authenticated with any > case combination of but if ssh is set to match on > then the chroot is not enforced and the user is dropped to their usual > home directory. I found a case_sensitive option for sssd but it does not > seem to have any affect. Running RHEL6.6 clients. > > > > IPA domain is by default case sensitive. > So You will not change anything if you put "case_sensitive = true" into domain > section of sssd.conf. > > But SSSD will create subdomains for each AD domain. It is different > id_provider > therefore different default values are used for subdomains and for AD provider > it is case *insensitive* by default. > > Currently there's no way how to change it for subdomains (AD trusted domains) > What are you using for the SSH matching? The way the case insensitiveness is implemented in SSSD is that all usernames are forcibly lowercased on output, so as long as SSH uses the standard NSS calls, you should be good with using the lowecase usernames.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] username case sensitivity
On (15/05/15 17:27), Andy Thompson wrote: >Is there a way to enforce case sensitivity for trusted AD users? I am trying >to use username for ssh chroots and I can authenticated with any case >combination of but if ssh is set to match on then the >chroot is not enforced and the user is dropped to their usual home directory. >I found a case_sensitive option for sssd but it does not seem to have any >affect. Running RHEL6.6 clients. > IPA domain is by default case sensitive. So You will not change anything if you put "case_sensitive = true" into domain section of sssd.conf. But SSSD will create subdomains for each AD domain. It is different id_provider therefore different default values are used for subdomains and for AD provider it is case *insensitive* by default. Currently there's no way how to change it for subdomains (AD trusted domains) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project